CN104168205B - message processing method and device - Google Patents
message processing method and device Download PDFInfo
- Publication number
- CN104168205B CN104168205B CN201410383883.9A CN201410383883A CN104168205B CN 104168205 B CN104168205 B CN 104168205B CN 201410383883 A CN201410383883 A CN 201410383883A CN 104168205 B CN104168205 B CN 104168205B
- Authority
- CN
- China
- Prior art keywords
- acl
- tsa
- polymerization
- interface
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of message processing method and device, and this method includes:GM equipment receives the negotiation packet of the KS in GDVPN;When determining that the interface for receiving negotiation packet is configured with polymerization ACL, the Security Parameter Index SPI that the stream information and any TSA message segments that all TSA message segments in negotiation packet are included are included, the domain for being added to interface registration is polymerizeing in ACL flow tables in corresponding polymerization ACL;The TSA information that any TSA message segments in negotiation packet are included generates one TSA pairs, sets up the corresponding relation of this TSA pairs and SPI, and the data message received according to corresponding polymerization ACL and corresponding relation Processing Interface.By technical scheme, TSA pairs of the quantity stored in GM equipment can be effectively reduced, it is to avoid excessive EMS memory occupation, help to lift the data message processing of GM equipment and forwarding performance.
Description
Technical field
The present invention relates to communication technical field, more particularly to message processing method and device.
Background technology
GDVPN (Group Domain VPN organize domain VPN) is a kind of solution party for realizing key and Centralized management of policy
Case.Different from the IPSec VPN that the tunnel of traditional use point-to-point is connected, GDVPN is a kind of point-to-multipoint non-tunnel VPN
Connect (transparent mode).GDVPN, which is realized, mainly includes three parts:KS (Key Server, key server), GM (Group
Member, group membership) and GDOI (Group Domain Of Interpretation organize the domain of interpretation), KS is used for be all
GM distributes encryption key and IPSec (IP Security, IP safety) strategy, and the encryption key that GM distributes according to KS enters to flow
Row encryption and decryption, GDOI agreements are for the group key management agreement between KS and GM.
The process that GM obtains encryption key at KS mainly includes two stages:1) first stage, carried out between GM and KS
Consult, be specifically that agreement carrys out certification GM by IKE (Internet key exchange, key exchange) by KS, and consult to obtain
IKE SA (IKE Security Association, IKE Security Association);2) second stage, sets up safety logical using IKE SA
Road, and held consultation by KS and GM by the escape way and obtain IPSec SA, encryption and decryption operation is carried out to flow for GM.
Because the IPSec SA of second stage are used to carry out encryption and decryption to flow, thus TSA (Traffic SA) can be referred to as.
KS can be created in multiple domains, one or more domains that every GM can be added thereto.KS can pass through above-mentioned two
The negotiations process in stage, is that all GM in same domain generate identical TSA to (i.e. for the TSA of encryption and for decrypting
TSA), to protect the VPN traffics between the GM in the domain.
However, KS is when generation is used for TSA pairs of same domain, it is all streams for being configured on all GM in the domain
Information (i.e. Rule) is generated, i.e., TSA pairs is one-to-one between stream information, and needs to store it in every GM
All stream informations (stream information configured in the domain in all GM) in residing domain and corresponding TSA pairs, cause to deposit in GM
TSA pairs of quantity of storage can increase with the increase of stream information quantity, not only result in GM lookup, forwarding performance and decline,
A large amount of internal memories can be also taken, or even cause internal memory to overflow.
The content of the invention
In view of this, the present invention provides a kind of new technical scheme, can solve TSA pairs of the quantity stored in GM equipment
The technical problem for excessively causing hydraulic performance decline, internal memory to overflow.
To achieve the above object, present invention offer technical scheme is as follows:
According to the first aspect of the invention, it is proposed that a kind of message processing method, including:
GM equipment in GDVPN receives the negotiation packet of the KS in the GDVPN, and the negotiation packet includes multiple
Transmit Security Association TSA message segments;
When determining that the interface for receiving the negotiation packet is configured with polymerization access control list ACL, consult described
The Security Parameter Index that the stream information and any TSA message segments that all TSA message segments in message are included are included
(Security Parameter Index, SPI), the domain for being added to the interface registration is corresponding poly- in polymerization ACL flow tables
Close in ACL;
The TSA information that any TSA message segments in the negotiation packet are included generates one TSA pairs, and setting up should
TSA pairs with the corresponding relation of the SPI, and the interface handled according to corresponding polymerization ACL and the corresponding relation arrived
Data message.
According to the second aspect of the invention, it is proposed that a kind of message process device, including:
Message receiving unit, receives the negotiation packet of the KS in GDVPN, and the negotiation packet includes multiple TSA
Message segment;
Information adding device, is determining that the interface for receiving the negotiation packet is configured with polymerization access control list ACL
When, the SPI that the stream information and any TSA message segments that all TSA message segments in the negotiation packet are included are included adds
The domain for being added to the interface registration is polymerizeing in ACL flow tables in corresponding polymerization ACL;
Key generating unit, the TSA information that any TSA message segments in the negotiation packet are included generates one
TSA pairs, and set up the corresponding relation of this TSA pairs and the SPI;
Message process unit, the data that the interface is arrived are handled according to corresponding polymerization ACL and the corresponding relation
Message.
From above technical scheme, the present invention is being polymerize between ACL and TSA pairs of storage by setting up polymerization ACL
The incidence relation based on SPI is set up, GM equipment can be caused only to need one TSA pairs of storage for each domain, effectively reducing needs
The TSA to be stored is to quantity, so as to lift the lookup of GM equipment, forwarding performance, and avoids the excess occupancy to internal memory.
Brief description of the drawings
Fig. 1 shows the KS-GM schematic network structures according to one example embodiment of the present invention;
Fig. 2 shows the schematic flow diagram of the message processing method according to one example embodiment of the present invention;
Fig. 3 shows the structural representation of the negotiation packet according to one example embodiment of the present invention;
Fig. 4 shows the structural representation of the TSA message segments according to one example embodiment of the present invention;
Fig. 5 shows the schematic diagram that TSA information is stored in correlation technique;
Fig. 6 shows the schematic flow diagram handled in correlation technique data message;
Fig. 7 shows the schematic diagram of the storage TSA information according to one example embodiment of the present invention;
Fig. 8 shows the schematic flow diagram handled data message according to one example embodiment of the present invention;
Fig. 9 shows the schematic block diagram of the message process device according to one example embodiment of the present invention.
Embodiment
Fig. 1 is refer to, Fig. 1 shows the KS-GM network structures according to one example embodiment of the present invention, including one
KS and 100 GM, wherein GM1, GM2 ... GM100 are connected to KS by IP network respectively, and add in the domain of KS establishments.It is false
It is fixed to register and add in M1 to KS respectively by interface Eth1-1 and interface Eth1-2 for KS any one domain M1, GM1 created,
GM2 is registered and added in M1 to KS by interface Eth2-1 ..., and GM100 is registered to KS by interface Eth100-1 and is added M1
In.
It is assumed that for all GM interfaces for being registered to M1, KS is configured with 300 stream informations altogether, then each interface is required for
300 TSA message segments for including 300 stream informations are received respectively, i.e., (every stream information corresponds to 300 × 2=600 TSA
One TSA pairs, each TSA is to comprising 2 TSA, being respectively used to encrypt and decrypt operation).Therefore, because only by connecing on GM2
Mouth Eth2-1 is registered to domain M1, then GM2 needs the TSA corresponding to domain M1 stored to for 600;Simultaneously as on GM1 respectively
Domain M1 is registered to by interface Eth1-1 and interface Eth1-2, then GM1 needs the TSA corresponding to domain M1 stored to for 600 × 2
=1200, the calculation of the TSA quantity stored in other GM equipment is similar, and here is omitted.
Simultaneously as the interface on every GM can be registered in multiple domains at KS, then assume to create 100 at KS
During individual domain, the TSA quantity stored in each GM is:If the interface Eth2-1 on GM2 is registered to 100 domains at KS respectively,
The TSA stored in GM2 quantity is 600 × 100=60000;If the interface Eth1-1 and interface Eth1-2 on GM1 are noted respectively
Volume is to 100 domains at KS, then the TSA stored in GM1 quantity is 1200 × 100=120000.Also, with GM quantity
With the increase of stream information quantity, TSA quantity also may proceed to increase.
It can be seen that, the processing mode based on background technology will make it that the TSA quantity stored in GM is extremely more, can not only influence GM
Process performance, can also take a large amount of internal memories, even result in internal memory spilling.In order to solve the above problems, the present invention propose as
A kind of message processing method shown in Fig. 2, this method is applied particularly to group membership's GM equipment in GDVPN so that GM equipment can
To perform following processing procedures:
Step 202, during GDOI registrations are carried out with the KS in GDVPN, the negotiation packet from KS is received, is consulted
Message includes multiple TSA message segments;
In the present embodiment, each domain added for each interface in GM equipment, KS correspondingly generates a negotiation
Message, and noticed the TSA message segments corresponding to corresponding field to GM equipment by the negotiation packet;Specifically, such as GM equipment
On interface 1 be separately added into the domain M1 and M2 of KS establishments, then KS will generate negotiation packet 1 and negotiation packet respectively for GM equipment
2, the TSA message segments applied to domain M1 are included wherein in negotiation packet 1, the TSA information for being applied to domain M2 are included in negotiation packet 2
Section.
Wherein, the schematic structure of negotiation packet can be found in Fig. 3:Due to one between the stream information of configuration at TSA pairs and KS
One correspondence, thus assume that when KS is configured with 200 stream informations, 200 TSA message segments, each TSA information are included in negotiation packet
Section includes a stream information, i.e., corresponding to the TSA message segments 1 comprising stream information 1, include the TSA message segments corresponding to stream information 2
2 ... include the TSA message segments 200 corresponding to stream information 200.
Specifically, Fig. 4 shows the schematic structure of each TSA message segments:Included successively in TSA message segments
" Protocol (agreement) ", " SRC ID Type (source ID types) ", " SRC ID Port (source ID ports) ", " SRC ID Data
Len (source ID data lengths) ", " SRC Identification Data (source ID data) ", " DST ID Type (purpose ID classes
Type) ", " DST ID Port (purpose ID ports) ", " DST ID Data Len (purpose ID data lengths) ", " DST
Identification Data (purpose ID data) ", " Transform ID (conversion ID) ", " SPI (Security
Parameter Index, Security Parameter Index) ", " the SA Attributes of RFC 2407 (and in RFC2407 documents safety connection
Alliance's attribute) " etc. field, " Protocol " field therein to " DST Identification Data " fields be the TSA information
The stream information that section is included.
Step 204, it is configured with polymerization accesses control list (Access in the interface for determining reception negotiation packet
Control list, ACL) when, the stream information that all TSA message segments in negotiation packet are included and any TSA message segments
Comprising SPI be added to the domain of interface registration in polymerization ACL flow tables in corresponding polymerization ACL;
In the present embodiment, if interface is configured with polymerization ACL, show to have done specifically for the interface of GM equipment in advance
Functional configuration, makes it be configured with polymerization acl feature, and corresponding record polymerization ACL sky can also be configured by polymerizeing in ACL flow tables
Between, then it can be handled using technical scheme proposed by the present invention, otherwise can be according to existing to reduce TSA stored number
The mode for having technology is handled.
Specifically, it can judge whether the interface for receiving negotiation packet is configured with polymerization ACL by following manner:
First, it is determined that according to the domain identifier that the interface that carries is registered in the negotiation packet correspondence being currently received, and in advance
Corresponding relation between domain identifier and the IPSec strategy of configuration, and obtain the IPSec strategies for determining that interface is accordingly bound.Due to
KS can issue corresponding negotiation packet respectively for the GM each domains registered, thus assume that the current interface 1 in GM equipment connects
The negotiation packet corresponding to M1 domains is received, then GM equipment needs to obtain the IPSec plans corresponding to M1 domains bound on interface 1
Slightly.
Then, according to pre-configured policing type and the corresponding relation polymerizeing between ACL flow tables, IPSec strategies are judged
Whether type corresponds to polymerization ACL flow tables.Corresponding relation can be set up between policing type and ACL flow tables in advance in GM equipment,
Such as a type of IPSec strategies are applied to GDOI, then this kind of IPSec strategies are set up with polymerization ACL flow tables and associated, and its
The IPSec strategies of his type are then set up with common ACL flow tables of the prior art to be associated.Therefore, in above-described embodiment
The IPSec strategies corresponding to M1 domains bound on interface 1, if IPSec strategies are GDOI types, may determine that the strategy
Type corresponds to polymerization ACL flow tables or common ACL flow tables.
Finally, when the type for the IPSec strategies for judging to determine corresponds to polymerization ACL flow tables, it is determined that interface is poly-
Close and polymerization ACL is configured with ACL flow tables.Such as table 1 shows the schematic construction of the polymerization ACL flow tables of an exemplary embodiment:
In polymerization ACL flow tables, strategy and the interface 1 polymerizeing in the corresponding storage of ACL progress, such as GM equipment are registered using strategy 1
To M1 domains, then the negotiation packet 1 issued according to KS correspondence storage strategy 1 and ACL1 in polymerization ACL, and interface 1 is using strategy 2
When being registered to M2 domains, then the negotiation packet 2 issued according to KS correspondence storage strategy 2 and ACL2 in polymerization ACL, when in GM equipment
Interface 2 when being registered to M1 domains using strategy 3, then the negotiation packet 3 issued according to KS correspondence storage strategy 3 in polymerization ACL
And ACL3.
| Strategy 1 | ACL1 |
| Strategy 2 | ACL2 |
| Strategy 3 | ACL3 |
| … | … |
Table 1
Step 206, the TSA information that any TSA message segments in negotiation packet are included generates one TSA pairs, builds
Found the corresponding relation of this TSA pairs and SPI, and the datagram received according to corresponding polymerization ACL and corresponding relation Processing Interface
Text.
In the present embodiment, the TSA message segments for obtaining SPI information and TSA information can be with identical, can also be different.Wherein,
If same TSA message segments, the TSA message segments can be the first TSA message segments in negotiation packet;Certainly, other are any
TSA message segments can apply in technical scheme.
From above-described embodiment, the present invention is carried out when GM equipment receives negotiation packet to all TSA message segments
Parse and obtain stream information therein, added in polymerization ACL, but only to obtain the TSA information in any TSA message segments, and
TSA pairs of storage correspondence generation, generates TSA pairs, it is not required that storage without the TSA information in other TSA message segments
It is corresponding TSA pairs.Therefore, in the inventive solutions, each domain added for each interface in GM equipment, it is only necessary to
One TSA pairs of storage, so as to effectively reduce TSA pairs of the quantity stored in GM equipment.
Meanwhile, the present invention is by storing SPI in polymerization ACL, corresponding relation being set up between SPI and TSA pairs so that GM
In the case where only needing one TSA pairs of storage, you can as data message hit polymerization ACL, obtain unique TSA of above-mentioned storage
It is right, for the processing to the data message.
Fig. 5 is refer to, Fig. 5 shows the mode that TSA information is stored in correlation technique, including:GM equipment is receiving
From after KS negotiation packet, all TSA message segments in the negotiation packet are parsed respectively, and obtain bag in each TSA message segments
The stream information and TSA information contained;Stream information is added in standard ACL flow table, and TSA information is generated as TSA pairs and added
Into SAD (Security Association Database, security association database).
Because the stream information and TSA information in each TSA message segments are processed and store so that in standard ACL flow table
Standard ACL in stream information and SAD in correspond between store TSA pairs, than the stream in standard ACL as shown in Figure 5
The TSA that information 1 corresponds in SAD corresponds to TSA to 1, stream information 2 and corresponds to TSA to 2, stream information 3 to 3 ... correspondingly, phase
The process that is handled in the technology of pass data message as shown in fig. 6, including:
Step 602, it is assumed that the data message in GM equipment needs to be forwarded from interface 1.
Step 604, between the domain identifier carried according to data message, and pre-configured domain identifier and IPSec strategies
Corresponding relation, judges whether interface 1 has bound IPSec strategies in the domain, if having bound, goes to step 606, otherwise goes to step
618。
Step 606, it would be desirable to which the data message of forwarding goes to IPSec modules and handled.
Step 608, the IPSec strategies corresponding to above-mentioned domain identifier bound according to interface 1, are looked into standard ACL flow table
Look for corresponding standard ACL.Such as table 2 shows the schematic structure of standard ACL flow table of the prior art, wherein by strategy with
Correspondence storage between standard ACL:Strategy 1 it is corresponding with standard ACL 1 (not indicating) store, and in standard ACL 1 include Rule0,
Rule1, Rule2 and Rule3;Strategy 2 it is corresponding with standard ACL 2 (not indicating) store, and in standard ACL 2 include Rule0 ',
Rule1 ' and Rule2 '.Therefore it is presumed that interface 1, which is above-mentioned domain identifier correspondence, has bound strategy 1, it is determined that interface 1 is current in mark
Correspond to standard ACL 1 in quasi- ACL flow tables.
Table 2
Step 610, the forwarding information of data message is matched with the Rule in standard ACL.Specifically, for interface
The strategy 1 of 1 binding, then can will be currently needed for the forwarding information and tactful 1 corresponding standard for the data message that interface 1 is forwarded
Rule0, Rule1, Rule2 and Rule3 in ACL1 are matched.
Step 612, the Rule matched is judged whether, if in the presence of going to step 614, otherwise go to step 618.
Step 614, according to the Rule of matching, corresponding TSA pairs is searched in SAD.
Step 616, using TSA pairs found, data message is packaged after processing, forwarded by interface 1.
Step 618, plaintext forwarding is carried out to data message by interface 1.
It should be noted that illustrated in above-mentioned flow by taking forwarding of the interface 1 to data message as an example, then step 616
It is middle to need, using TSA pairs found, data message to be encrypted and forwards;And the IPSec envelopes that docking port 1 is received
When the data message of dress is handled, the protocol number (being obtained by header parsing) that can be used according to the data message, if
51) or ESP (Encapsulate for AH, (corresponding protocol number is for Authentication Header, authentication header protocol
Security Payload, encapsulating security payload (esp), corresponding protocol number then transfers to IPSec resume modules 50) to parse,
And using the TSA that finds to carrying out ciphertext data message, if other agreements or not finding TSA pairs of matching, then abandoning should
Data message.
Simultaneously as the handling process shown in Fig. 6 is realized based on the structure shown in Fig. 5, and it is stored in Fig. 5
SAD TSA is used to same domain, i.e. these TSA to 1, TSA to being essentially all the same to 2, TSA to 3 etc. so that SAD
In there is substantial amounts of repeated data.When TSA pairs of the quantity stored in SAD is more, then when step 614 needs to spend more
Between search TSA pairs of matching, reduce treatment effeciencies of the GM to data message.
Corresponding to Fig. 5, Fig. 7 shows the side corresponding to the storage TSA information according to one example embodiment of the present invention
Formula, which is consistent with the message processing method shown in Fig. 2, including:
It is assumed that the interface 1 in GM equipment is registered to the domain M1 on KS, then corresponding polymerization ACL is created;Meanwhile, for connecing
Other domains of mouthful 1 registration, and other interfaces in GM equipment are to the registration scenarios in each domain, can also correspondingly create polymerization
ACL.When GM equipment receives the negotiation packet from KS, all TSA message segments are parsed, wherein all TSA believe
Stream information in breath section is added into corresponding polymerization ACL, but is only gathered the SPI in a TSA message segment added to this
Close in ACL, and the TSA information in a TSA message segment is only generated as TSA pairs and stored into SAD, wherein at this TSA pairs
Incidence relation is set up with added to the SPI polymerizeing in ACL.Therefore, it polymerize any stream information 1 in ACL with this when data message
When~n is matched, TSA pairs stored in SAD can be found by the SPI stored in polymerization ACL, without being flowed for every
Information stores corresponding TSA pairs respectively, its concrete processing procedure as shown in figure 8, including:
Step 802, it is assumed that the data message in GM equipment needs to be forwarded from interface 1.
Step 804, the domain identifier that the data message forwarded as needed is carried, and pre-configured domain identifier and IPSec
Corresponding relation between strategy, judges whether interface 1 has bound IPSec strategies, if having bound, goes to step 806, otherwise turns step
Rapid 818.
Step 806, it would be desirable to which the data message of forwarding goes to IPSec modules and handled.
Step 808, search and interface 1 matches polymerize ACL.Specifically, it is determined that interface 1 bind correspond to above-mentioned domain
The IPSec strategies of mark, and according to pre-configured IPSec policing types and the corresponding relation that polymerize between ACL flow tables, it is determined that
Whether IPSec strategies correspond to polymerization ACL flow tables.
According to one example embodiment of the present invention, table 3 shows the concrete structure of polymerization ACL flow tables, wherein to IPSec
Correspondence storage is carried out between strategy and polymerization ACL:Included in the storage corresponding with polymerization ACL1 (not indicating) of strategy 1, polymerization ACL1
Also be stored with corresponding SPI, such as SPI1 in Rule0, Rule1, Rule2 and Rule3, and polymerization ACL1;Strategy 2 is with polymerizeing
ACL2 (not indicating) correspondences are stored, and are included and are also stored with Rule0 ', Rule1 ' and Rule2 ', and polymerization ACL2 in polymerization ACL2
Corresponding SPI2.
It is assumed that the domain identifier carried in data message of the interface 1 to need forwarding has accordingly bound strategy 2, and the strategy 2
Type correspond to polymerization ACL flow tables, then can determine interface 1 polymerization ACL flow tables in correspond to polymerization ACL2.
Table 3
Step 810, the forwarding information of data message and Rule0 ', Rule1 ' and Rule2 ' for polymerizeing in ACL2 etc. are carried out
Matching.
Step 812, the Rule matched is judged whether, if in the presence of going to step 814, otherwise go to step 818.
Step 814, due to there is the Rule of matching so that when pre-polymerization ACL2 is hit, according in polymerization ACL2
SPI2, searches corresponding TSA pairs in SAD.
Step 816, using TSA pairs found, data message is packaged after processing, forwarded by interface 1.
Step 818, plaintext forwarding is carried out to data message by interface 1.
It should be noted that illustrated in above-mentioned flow by taking forwarding of the interface 1 to data message as an example, then step 816
It is middle to need, using TSA pairs found, data message to be encrypted and forwards;And the IPSec envelopes that docking port 1 is received
When the data message of dress is handled, the protocol number (being obtained by header parsing) that can be used according to the data message, if
Parsed for AH or ESP, then transfer to IPSec resume modules, and using the TSA found to carrying out ciphertext data message, if other
Agreement does not find TSA pairs of matching, then abandons the data message.
Simultaneously as the handling process shown in Fig. 8 is realized based on the structure shown in Fig. 7, and will be " every in Fig. 7
Stream information correspond to TSA to " be updated to " each polymerize ACL (by corresponding SPI) correspond to a TSA to " so that
The quantity of TSA pairs of storage in SAD is effectively reduced, contributes in lifting step 816 to search TSA pairs of efficiency, and avoid
Excess to GM internal memories takes.
Specifically, still illustrated by taking the network structure shown in Fig. 1 as an example:For all GM interfaces for being registered to M1, though
Right KS is configured with 300 stream informations altogether, but because this 300 stream informations are added into polymerization ACL so that each interface
The TSA corresponding to 300 stream informations stored respectively is only 2.Therefore, because only being registered on GM2 by interface Eth2-1
To domain M1, then the TSA corresponding to domain M1 that GM2 needs are stored is to for 2;Simultaneously as passing through interface Eth1-1 on GM1 respectively
Be registered to domain M1 with interface Eth1-2, then GM1 need the TSA corresponding to domain M1 that stores to for 2 × 2=4 it is individual, other GM equipment
The calculation of the TSA quantity of middle storage is similar, and here is omitted.
Simultaneously as the interface on every GM can be registered in multiple domains at KS, then assume to create 100 at KS
During individual domain, the TSA quantity stored in each GM is:If the interface Eth2-1 on GM2 is registered to 100 domains at KS respectively,
The TSA stored in GM2 quantity is 2 × 100=200, much smaller than 60000 of use correlation technique;If the interface on GM1
Eth1-1 and interface Eth1-2 are registered to 100 domains at KS respectively, then the TSA stored in GM1 quantity is 4 × 100=400
It is individual, much smaller than 120000 of use correlation technique.Even if also, it is corresponding GM configurations to add domain M1 GM quantity increase, KS
Stream information quantity increase, storage TSA quantity will not also increase in each GM, so as to effectively prevent GM hydraulic performance decline
With internal memory overflow problem.
Corresponding to above-mentioned message processing method, the present invention proposes message process device as shown in Figure 9, at the message
It can be the GM equipment in GDVPN to manage device, and the message process device includes:
Message receiving unit, receives the negotiation packet of the KS in GDVPN, and negotiation packet includes multiple TSA information
Section;
Information adding device, will when determining that the interface for receiving negotiation packet is configured with polymerization access control list ACL
The SPI that the stream information and any TSA message segments that all TSA message segments in negotiation packet are included are included, is added to interface
The domain of registration is in polymerization ACL flow tables in corresponding polymerization ACL;
Key generating unit, the TSA information that any TSA message segments in negotiation packet are included generates a TSA
It is right, and set up the corresponding relation of this TSA pairs and SPI;
Message process unit, the data message received according to corresponding polymerization ACL and corresponding relation Processing Interface.
Optionally, information adding device specifically for:
The domain identifier registered according to the interface carried in negotiation packet, and pre-configured domain identifier and IPSec strategies
Between corresponding relation, determine interface binding correspond to the negotiation packet in carry domain identifier IPSec strategy;And
If according to pre-configured policing type and the corresponding relation polymerizeing between ACL flow tables, judging the IPSec plans determined
Type slightly corresponds to polymerization ACL flow tables, it is determined that interface is configured with polymerization ACL in polymerization ACL flow tables.
Optionally, message process unit specifically for:
When it is determined that the data message that interface is arrived hits corresponding polymerization ACL, included according in corresponding polymerization ACL
SPI and corresponding relation determine that SPI is corresponding TSA pairs, and according to TSA pairs determined, data message is carried out at encryption and decryption
Reason.
Optionally, message process unit specifically for:
When interface is to data message, the domain identifier registered according to the interface carried in the data message, and in advance
Corresponding relation between domain identifier and the IPSec strategy of configuration, determines that what interface accordingly bound corresponds in the data message
The IPSec strategies of the domain identifier of carrying;And
If according to pre-configured IPSec policing types and the corresponding relation polymerizeing between ACL flow tables, judging what is determined
The type of IPSec strategies corresponds to polymerization ACL flow tables, then determines to correspond to the IPSec strategies determined in polymerization ACL flow tables
Polymerization ACL, and when in polymerization ACL exist be matched with data message stream information when, judge data message hit the polymerization
ACL。
Optionally, the above-mentioned TSA pairs corresponding relation between SPI is stored in local SAD.
Therefore, the present invention is set up based on SPI's by setting up polymerization ACL, and between polymerization ACL and TSA pairs of storage
Incidence relation, can cause GM equipment only to need one TSA pairs of storage for each domain, effectively reduce need to store TSA pairs
Quantity, so as to lift the lookup of GM equipment, forwarding performance, and avoids the excess occupancy to internal memory.
These are only presently preferred embodiments of the present invention, be not intended to limit the invention, it is all the present invention spirit and
Within principle, any modification, equivalent substitution and improvements done etc. should be included within the scope of protection of the invention.
Claims (10)
1. a kind of message processing method, it is characterised in that including:
Group membership GM equipment in group domain VPN GDVPN receives the association of the key server KS in the GDVPN
Business's text, the negotiation packet includes multiple transmission Security Association TSA message segments;
When determining that the interface for receiving the negotiation packet is configured with polymerization access control list ACL, by the negotiation packet
In the Security Parameter Index SPI that is included of the stream information that is included of all TSA message segments and any TSA message segments, be added to
The domain of the interface registration is in polymerization ACL flow tables in corresponding polymerization ACL;
The TSA information that any TSA message segments in the negotiation packet are included generates one TSA pairs, sets up this TSA pairs
With the corresponding relation of the SPI, and the data that the interface is arrived are handled according to corresponding polymerization ACL and the corresponding relation
Message.
2. the method as described in claim 1, it is characterised in that the GM equipment determines to receive described consult by following manner
The interface of message is configured with polymerization ACL:
The domain identifier that the GM equipment is registered according to the interface carried in the negotiation packet, and pre-configured domain identifier and IP
Corresponding relation between security strategy, determines the IP for corresponding to the domain identifier carried in the negotiation packet of the interface binding
Security strategy;
If according to pre-configured IP security strategies type and the corresponding relation polymerizeing between ACL flow tables, judging the IP peaces determined
The type of full strategy corresponds to polymerization ACL flow tables, it is determined that the interface is configured with polymerization ACL in polymerization ACL flow tables.
3. the method as described in claim 1, it is characterised in that the GM equipment is according to corresponding polymerization ACL and the correspondence
The data message that interface described in Automated generalization is arrived, is specifically included:
The GM equipment is when it is determined that the data message that the interface is arrived hits corresponding polymerization ACL, according to corresponding poly-
Close the SPI included in ACL and the corresponding relation determines that the SPI is corresponding TSA pairs;
According to TSA pairs determined, encryption and decryption processing is carried out to the data message.
4. method as claimed in claim 3, it is characterised in that the GM equipment determines the interface by following manner
The data message arrived hits corresponding polymerization ACL:
The GM equipment is when the interface is to data message, and the domain registered according to the interface carried in the data message is marked
Know, and the corresponding relation between pre-configured domain identifier and IP security strategies, determine that corresponding to for the interface binding is described
The IP security strategies of the domain identifier carried in data message;
If according to pre-configured IP security strategies type and the corresponding relation polymerizeing between ACL flow tables, judging the IP peaces determined
Complete tactful type corresponds to polymerization ACL flow tables, then is determined in polymerization ACL flow tables corresponding to the IP security strategies determined
It polymerize ACL, and when there is the stream information for being matched with the data message in polymerization ACL, judges the data message hit
Polymerization ACL.
5. the method as any one of Claims 1-4, it is characterised in that described TSA pairs pass corresponding with the SPI
System is stored in local security association database SAD.
6. a kind of message process device, it is characterised in that including:
Message receiving unit, receives the negotiation packet of the key server KS in group domain VPN GDVPN, described
Negotiation packet includes multiple transmission Security Association TSA message segments;
Information adding device, will when determining that the interface for receiving the negotiation packet is configured with polymerization access control list ACL
The security parameter rope that the stream information and any TSA message segments that all TSA message segments in the negotiation packet are included are included
Draw SPI, the domain for being added to the interface registration is polymerizeing in ACL flow tables in corresponding polymerization ACL;
Key generating unit, the TSA information that any TSA message segments in the negotiation packet are included generates a TSA
It is right, and set up the corresponding relation of this TSA pairs and the SPI;
Message process unit, the data message that the interface is arrived is handled according to corresponding polymerization ACL and the corresponding relation.
7. device according to claim 6, it is characterised in that described information adding device specifically for:
The domain identifier registered according to the interface that is carried in the negotiation packet, and pre-configured domain identifier and IP security strategies it
Between corresponding relation, determine the IP security strategies for corresponding to the domain identifier carried in the negotiation packet of interface binding;
And
If according to pre-configured IP security strategies type and the corresponding relation polymerizeing between ACL flow tables, judging the IP peaces determined
The type of full strategy corresponds to polymerization ACL flow tables, it is determined that the interface is configured with polymerization ACL in polymerization ACL flow tables.
8. device according to claim 6, it is characterised in that the message process unit specifically for:
When it is determined that the data message that the interface is arrived hits corresponding polymerization ACL, included according in corresponding polymerization ACL
SPI and the corresponding relation determine that the SPI is corresponding TSA pairs, and according to TSA pairs determined, to the data message
Carry out encryption and decryption processing.
9. device according to claim 8, it is characterised in that the message process unit specifically for:
When the interface is to data message, the domain identifier registered according to the interface carried in the data message, and in advance
Corresponding relation between the domain identifier and IP security strategies of configuration, determines corresponding in the data message for the interface binding
The IP security strategies of the domain identifier of carrying;And
If according to pre-configured IP security strategies type and the corresponding relation polymerizeing between ACL flow tables, judging the IP peaces determined
Complete tactful type corresponds to polymerization ACL flow tables, then is determined in polymerization ACL flow tables corresponding to the IP security strategies determined
It polymerize ACL, and when there is the stream information for being matched with the data message in polymerization ACL, judges the data message hit
Polymerization ACL.
10. the device according to any one of claim 6 to 9, it is characterised in that described TSA pairs is corresponding with the SPI
Relation is stored in local security association database SAD.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410383883.9A CN104168205B (en) | 2014-08-06 | 2014-08-06 | message processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410383883.9A CN104168205B (en) | 2014-08-06 | 2014-08-06 | message processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104168205A CN104168205A (en) | 2014-11-26 |
| CN104168205B true CN104168205B (en) | 2017-08-08 |
Family
ID=51911841
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410383883.9A Active CN104168205B (en) | 2014-08-06 | 2014-08-06 | message processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104168205B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105979513B (en) * | 2016-07-20 | 2019-06-25 | 深圳市博瑞得科技有限公司 | A kind of decryption method and system of VoLTE network SGI interface |
| CN113472717B (en) * | 2020-03-30 | 2022-09-23 | 中国电信股份有限公司 | SDN access control method and device and computer readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1791098A (en) * | 2004-12-13 | 2006-06-21 | 华为技术有限公司 | Method for realizing safety coalition synchronization |
| CN102904901A (en) * | 2012-10-29 | 2013-01-30 | 杭州华三通信技术有限公司 | Method for synchronizing IPsec SA, group member and group secret server |
| CN103107950A (en) * | 2013-01-28 | 2013-05-15 | 杭州华三通信技术有限公司 | Internet protocol security security association deleting method and equipment |
| CN103269276A (en) * | 2013-05-22 | 2013-08-28 | 杭州华三通信技术有限公司 | Method and equipment for achieving group member equipment communication |
| CN103347007A (en) * | 2013-06-19 | 2013-10-09 | 杭州华三通信技术有限公司 | Method for generating Internet protocol security alliance and routing equipment |
| CN103763403A (en) * | 2013-12-30 | 2014-04-30 | 华为技术有限公司 | Message flow control method, message flow control related device and computational node |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080298592A1 (en) * | 2007-05-29 | 2008-12-04 | Mohamed Khalid | Technique for changing group member reachability information |
| US8548171B2 (en) * | 2009-02-27 | 2013-10-01 | Cisco Technology, Inc. | Pair-wise keying for tunneled virtual private networks |
-
2014
- 2014-08-06 CN CN201410383883.9A patent/CN104168205B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1791098A (en) * | 2004-12-13 | 2006-06-21 | 华为技术有限公司 | Method for realizing safety coalition synchronization |
| CN102904901A (en) * | 2012-10-29 | 2013-01-30 | 杭州华三通信技术有限公司 | Method for synchronizing IPsec SA, group member and group secret server |
| CN103107950A (en) * | 2013-01-28 | 2013-05-15 | 杭州华三通信技术有限公司 | Internet protocol security security association deleting method and equipment |
| CN103269276A (en) * | 2013-05-22 | 2013-08-28 | 杭州华三通信技术有限公司 | Method and equipment for achieving group member equipment communication |
| CN103347007A (en) * | 2013-06-19 | 2013-10-09 | 杭州华三通信技术有限公司 | Method for generating Internet protocol security alliance and routing equipment |
| CN103763403A (en) * | 2013-12-30 | 2014-04-30 | 华为技术有限公司 | Message flow control method, message flow control related device and computational node |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104168205A (en) | 2014-11-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104272674B (en) | Multiple tunnel VPN | |
| CN105763557B (en) | Exchange chip or NP cooperate with the method and system for completing message IPSEC encryption with CPU | |
| US6438612B1 (en) | Method and arrangement for secure tunneling of data between virtual routers | |
| US8532115B2 (en) | Negotiated secure fast table lookups for protocols with bidirectional identifiers | |
| CN100596062C (en) | Secure protection device and method for distributed packet transfer | |
| WO2019128753A1 (en) | Quantum key mobile service method with low delay | |
| US20040268124A1 (en) | Systems and methods for creating and maintaining a centralized key store | |
| US7000120B1 (en) | Scheme for determining transport level information in the presence of IP security encryption | |
| US20100268935A1 (en) | Methods, systems, and computer readable media for maintaining flow affinity to internet protocol security (ipsec) sessions in a load-sharing security gateway | |
| CN106161226B (en) | It sends, the method and apparatus of receiving stream specification rule | |
| US20130166905A1 (en) | Methods and arrangements for secure communication over an ip network | |
| CN103188351A (en) | IPSec VPN communication service processing method and system under IPv6 environment | |
| CN107046506A (en) | A kind of message processing method, flow classifier and business function example | |
| CN101521667B (en) | Method and device for safety data communication | |
| CN110086798B (en) | Method and device for communication based on public virtual interface | |
| WO2015131609A1 (en) | Method for implementing l2tp over ipsec access | |
| CN103227742B (en) | A kind of method of ipsec tunnel fast processing message | |
| CN110474922B (en) | Communication method, PC system and access control router | |
| CN104168205B (en) | message processing method and device | |
| CN106161386A (en) | A kind of method and apparatus realizing that IPsec shunts | |
| CN108989342B (en) | Data transmission method and device | |
| US20080244268A1 (en) | End-to-end network security with traffic visibility | |
| CN100463427C (en) | Safety union nesting method for realizing different safety terminalsin IPsec standard | |
| CN109145620A (en) | Data flow diversion processing method and device | |
| US20100275008A1 (en) | Method and apparatus for secure packet transmission |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |